Hi,
Is there any way to retrieve the address map file for ntdll.dll?
I know the address entries of the exported functions, but I need to see if there is a non-exported function at 000117DF. The closest exported function is at 0001161D (RtlInitializeCriticalSection).
Thanks!
Not the .map file that I know. PDB files are available on the microsoft symbol server.
If you have a Visual Studio more recent than VS6, you can enter URLs to symbol servers into the debugging symbols window.
Enter this into the debug symbol locations configuration dialog for VS2005 or VS2008 (or 2010?)
http://msdl.microsoft.com/download/symbols
If you don't use a (recent) Microsoft development environment, all is not lost. The debugging tools for windows is a free download, and includes the windbg debugger. Windbg has a similar debug symbols configuration dialog that can be told to download PDB files automatically given a symbol server URL.
What could you do with this information? It's not guaranteed that this function that you find there will still be there, or work the same in another release; Microsoft could even change this in a hotfix or service pack.